What are the key steps you would take to investigate and contain a suspected phishing-based compromise using SIEM and EDR data?